3-11
Firepower 7000 and 8000 Series Installation Guide
Chapter 3 Deploying Firepower Managed Devices
Deployment Options
•
Mesh deployments connect all endpoints together by means of VPN tunnels. This offers redundancy
in that when one endpoint fails, the remaining endpoints can still communicate with each other.
Use a mesh deployment to connect a group of decentralized branch office locations to ensure that
traffic can travel even if one or more VPN tunnels fails. The number of VPN-enabled managed
devices you deploy in this configuration controls the level of redundancy.
For more information on gateway VPN configuration and deployments, see Gateway VPN in the
Firepower Management Center Configuration Guide
.
Deploying with Policy-Based NAT
You can use
policy-based network address translation
(NAT) to define policies that specify how you
want to perform NAT. You can target your policies to a single interface, one or more devices, or entire
networks.
You can configure static (one-to-one) or dynamic (one-to-many) translation. Note that dynamic
translations are order-dependent where rules are searched in order until the first matching rule applies.
Policy-based NAT typically operates in the following deployments:
•
Hide your private network address.
When you access a public network from your private network, NAT translates your private network
address to your public network address. Your specific private network address is hidden from the
public network.
•
Allow access to a private network service.
When a public network accesses your private network, NAT translates your public address to your
private network address. The public network can access your specific private network address.
•
Redirect traffic between multiple private networks.
When a server on a private network accesses a server on a connected private network, NAT translates
the private addresses between the two private networks to ensure there is no duplication in private
addresses and traffic can travel between them.
Using policy-based NAT removes the need for additional hardware and consolidates the configuration
of your intrusion detection or prevention system and NAT into a single user interface. For more
information, see Using NAT Policies in the
Firepower Management Center Configuration Guide
.
Deploying with Access Control
Access control is a policy-based feature that allows you to specify, inspect, and log the traffic that can
enter, exit, or travel within your network. The following section describes how access control can
function in your deployment. See the
Firepower Management Center Configuration Guide
for more
information on this feature.
An access control policy determines how the system handles traffic on your network. You can add access
control rules to your policy to provide more granular control over how you handle and log network
traffic.
An access control policy that does not include access control rules uses one of the following default
actions to handle traffic:
•
block all traffic from entering your network
•
trust all traffic to enter your network without further inspection